FQDN in Packet Filter
I want to restrict access to specific public domain names form my machine.
For achieving this, I am providing fully qualified domain names in packet filter rule. for example pass out on <interface> inet from <myip> to example.com pass in on <interface> inet from example.com to <myip> What I understood from the OpenBSD's user guide is "A fully qualified domain name that will be resolved via DNS when the ruleset is loaded. All resulting IP addresses will be substituted into the rule" I have few queries from this, 1. IPs are substituting into rule while loading ruleset, what if there is a change in IP of the domain name after loading ? 2. Is this FQDN option in pf rule only for static IPs? 3. Does it considering IP dynamicity of domain name? |
For PF, domain resolution occurs at rule loading time ONLY. And if the rules are being loaded during boot by rc(8), a domain name server may not yet be available to the OS. In that case, resolution must come from a hosts(5) file rather than a server. For HTTP/HTTPS traffic, the better solution is relayd(8). There's an example of blocking a social media website in the relayd.conf(5) man page.
Quote:
Quote:
Quote:
|
Two additional points on domain resolution.
Code:
pass in from yahoo.com Code:
pass in inet6 from <__automatic_311a83f5_0> to any flags S/SA |
All times are GMT -5. The time now is 01:24 AM. |